
Congressional 
Research Service 

Informing the legislative debate since 1914 



The EU-U.S. Safe Harbor Agreement on 
Personal Data Privacy: In Brief 

Martin A. Weiss 

Specialist in International Trade and Finance 

Kristin Archick 

Specialist in European Affairs 

October 29, 2015 



Congressional Research Service 

7-5700 

www.crs.gov 

R44257 



CRS REPORT 
Prepared for Members and 
Committees of Congress — 



The EU-U.S. Safe Harbor Agreement on Personal Data Privacy: In Brief 



Contents 

Overview 1 

Data Privacy and Protection in the EU and the United States 2 

The EU Approach and the 1995 Data Protection Directive (DPD) 2 

The U.S. Approach 3 

Transatlantic Data Flows 4 

The Safe Harbor Agreement 5 

The CJEU Decision 7 

Moving Toward Safe Harbor 2.0 8 

Current Status of U.S.-EU Safe Harbor Negotiations 9 

Future Prospects 10 

Options for Affected Companies 11 

Issues for Congress 12 

Contacts 

Author Contact Information 13 



Congressional Research Service 



The EU-U.S. Safe Harbor Agreement on Personal Data Privacy: In Brief 



Overview 

On October 6, 2015, the Court of Justice of the European Union (CJEU) delivered a judgment 1 
that invalidates the Safe Harbor Agreement between the United States and the 28-member 
European Union (EU). 2 Safe Harbor is a 15-year-old accord, under which personal data could 
legally be transferred between EU member countries and the United States. The negotiation of 
Safe Harbor was largely driven by the EU’s 1995 Data Protection Directive (DPD) and European 
concerns that the U.S. approach to data privacy did not guarantee a sufficient level of protection 
for European citizens’ personal data. The Safe Harbor Agreement applies to a wide range of 
businesses and organizations that collect and hold personal data. When the parties concluded the 
Safe Harbor Agreement in 2000, however, the Internet was still in its infancy, and the range of 
public and private actors engaged in the mass processing of personal data, including across 
borders, was much more limited than today. 

The CJEU case stems from a 2013 complaint brought by an Austrian citizen and Facebook user, 
Maximillian Schrems, who claimed that the United States, and ultimately the Safe Harbor 
Agreement, failed to meet EU data protection standards in light of the unauthorized disclosures of 
classified U.S. surveillance programs by former U.S. National Security Agency (NS A) contractor 
Edward Snowden. In its decision, the CJEU determined that U.S. data protection measures do not 
provide an “adequate level of protection” for personal data as required by the EU DPD, and thus 
Safe Harbor, as currently agreed, is invalid. The CJEU ruling also found that the agreement’s 
national security exemptions essentially prevail over the Safe Harbor principles. Any companies 
that were using Safe Harbor as a legal basis for transatlantic data transfers must now individually 
implement alternative measures including so-called “model contractual clauses” or Binding 
Corporate Rules (BCRs) to legitimize the transfer of personal data between the United States and 
the EU. 

Given that some 4,500 U.S. companies (including U.S. subsidiaries of European firms) 
participate in Safe Harbor and that digital trade flows make up an important and growing segment 
of the transatlantic economy, many trade and industry groups were deeply dismayed by the 
CJEU’s decision. Experts suggest that the CJEU ruling could create legal uncertainties for many 
U.S. companies. Some contend that the CJEU judgment could raise operating costs, especially for 
small- and medium-size businesses, and negatively affect U.S.-EU trade and investment ties. 

Some analysts also contend that the broad nature of the CJEU’s decision could have implications 
for other U.S.-EU data-sharing arrangements, in both the commercial sector and the law 
enforcement field. Such U.S.-EU agreements, including Safe Harbor, have come under increased 
scrutiny since the revelation of the NSA programs and subsequent allegations that some U.S. 
Internet and telecommunication companies were involved in the reported NSA activities. The 
United States and the EU have engaged in a number of efforts to address European concerns 
about U.S.-EU data flows, including discussions started in late 2013 to improve the Safe Harbor 
Agreement. Although negotiations between the EU and U.S. authorities are reportedly close to 
completion, divisions still exist over the EU demand to ensure only limited access to “Safe 
Harbor data” for national security purposes. Some experts suggest, however, that U.S. legislation 
currently under consideration, the Judicial Redress Act of 2015 (H.R. 1428 and S. 1600), could 



1 Case C-362/14, Maximillian Schrems v. Digital Rights Ireland Ltd. (2015). 

2 The EU 28 member states are: Austria: Belgium; Bulgaria; Croatia; Cyprus; the Czech Republic; Denmark; Estonia; 
Finland; France; Germany; Greece; Hungary; Ireland; Italy; Latvia; Lithuania; Luxembourg; Malta; the Netherlands; 
Poland; Portugal; Romania; Slovakia; Slovenia; Spain; Sweden; and the United Kingdom. 



Congressional Research Service 



1 



